[3.5] krb5: Multiple vulnerabilities (CVE-2017-15088, CVE-2018-5709, CVE-2018-5710)
CVE-2017-15088: Buffer overflow in get_matching_data()
plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka
krb5) through 1.15.2 mishandles Distinguished Name
(DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application
crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions.
CVE-2018-5709: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c
An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There
is a variable “dbentry->n_key_data” in kadmin/dbutil/dump.c
that can store 16-bit data but unknowingly the developer has assigned a “u4” variable to it, which is for 32-bit data. An attacker can use this
vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.
CVE-2018-5710: null pointer deference in strlen function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The
pre-defined function “strlen” is getting a “NULL” string as a
value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows remote authenticated users
to cause a denial of service (NULL pointer dereference) via a modified kadmin client.
(from redmine: issue id 9304, created on 2018-08-21, closed on 2019-05-04)
- copied_to #9299
- parent #9299